Appl. No.: 10/676,383 

Amdt. Dated November 21, 2007 

Response to Office Action of July 31, 2007 

Amendments to the Claims : 

This following listing of claims will replace all prior versions and listings of claims in 
the application. 

1. (currently amended) A method enabling a flow-based data collection scheme, 
comprising 

receiving a flow, the flow comprising at least one packet; 
monitoring the flow in relation to at least one flow attribute; 
associating a traffic type to the flow; 

upon termination of the flow, composing a flow data record comprising a traffic 
type identifier corresponding to the traffic type associated with the flow and the at least 
one monitored flow attribute; and 

storing the flow data record in a database; 
wherein associating the traffic type to the flow comprises: 

parsing at least one packet associated with the flow into a flow 
specification, wherein said flow specification contains at least one instance of any one of 
the following: a protocol family designation, a direction of packet flow designation, a 
protocol type designation, a pair of hosts, a pair of ports, a pointer to a multipurpose 
internet mail extensions (MIME) type, a pointer to an application-specific attribute; 

matching the flow specification of the parsing step to a plurality of 

hierarchically-recognized traffic types represented by a plurality of nodes, each node 
having a traffic specification defining at least one matching attribute; thereupon, 
having found a matching node in the matching step, associating the flow 
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specification with a traffic type of said plurality of hierarchically-recognized traffic 
types . 

2. (canceled) 

3. (canceled) 

4. (currently amended) Tho method of claim 1 further comprising A method enabling a 
flow-based data collection scheme, comprising 

receiving a flow, the flow comprising at least one packet; 

monitoring the flow in relation to at least one flow attribute; 

associating a traffic type to the flow; 

upon termination of the flow, composing a flow data record comprising a traffic 

type identifier corresponding to the traffic type associated with the flow and the at least 
one monitored flow attribute; and 

storing the flow data record in a database; 

parsing at least one packet associated with the flow into a first flow 
specification, wherein said first flow specification contains at least one instance of any 
one of the following: a protocol family designation, a direction of packet flow 
designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a 
multipurpose internet mail extensions (MIME) M JME type, a pointer to an application- 
specific attribute; 

matching the first flow specification of the parsing step to a plurality of 
recognized traffic types represented by a plurality entries in at least one traffic type 
identification table, each entry in the traffic type identification table including at least 
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one matching attribute; thereupon, 

having found a matching traffic type in the matching step, associating the 
first flow specification with a traffic type of said plurality of recognized traffic types in 
the at least one traffic identification table. 

5. (original) The method of claim 1 wherein the at least one flow attribute is one of any 
of the following: a first packet time, a last packet time, the number of packets in the 
flow, the number of bytes in the flow, the number of retransmitted bytes in the flow, or 
a round trip time. 

6. (original) The method of claim 1 wherein the flow data record further includes one 
of any of the following: source address, destination address, source port number, 
destination port number, VLAN identifier, type of service identifier, a protocol family 
designation, a direction of packet flow designation, a protocol type designation, a 
protocol message designation, a first packet time, a last packet time, the number of 
packets in the flow, the number of bytes in the flow, the number of retransmitted bytes 
in the flow, or a round trip time. 

7. (currently amended) The method of claim 1 wherein termination of [[a]] the flow is 
determined based on a threshold period of time and the time of the last packet in the 
flow. 

8. (currently amended) The method of claim 1 wherein termination of [[a]] the flow is 
determined based on a protocol message. 
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9. (original) The method of claim 8 wherein the protocol message is a TCP FIN packet. 

10. (original) The method of claim 1 wherein at least one mapping exists between a 
traffic type identifier transmitted in flow data records and a traffic type name; and 
wherein the method further comprises 

periodically storing the at least one mapping in the database. 

11. (currently amended) The method of claim 1 wherein at least one mapping exists 
between [[a]] the traffic type identifier transmitted in flow data records and a traffic 
type name; and wherein the method further comprises 

periodically transmitting the at least one mapping for storage in the database. 

12. (original) The method of claim 11 wherein the at least one mapping is transmitted 
in one or more mapping messages; and wherein the mapping messages further include 
time stamps. 

13. (currently amended) An apparatus enabling a flow-based data collection scheme, 
comprising 

a packet processor operative to 

receive a flow, the flow comprising at least one packet; 
associate a traffic type to the flow; 

monitor the flow in relation to at least one flow attribute; and 
a flow data record emitter operative to: 
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upon termination of [[a]] the flow, compose a flow data record comprising 
a traffic type identifier corresponding to the traffic type associated with the flow and the 
at least one monitored attribute; and 

transmit the flow data record to a data collector; 
wherein, to associate the traffic type to the flow, the packet processor is further 
operative to 

parse at least one packet associated with the flow into a flow specification, 

wherein said flow specification contains at least one instance of any one of the 
following: a protocol family designation, a direction of packet flow designation, a 
protocol type designation, a pair of hosts, a pair of ports, a pointer to a MIME type, a 
pointer to an application-specific attribute; 

match the flow specification to a plurality of hierarchically-recognized 

traffic types represented by a plurality of nodes, each node having a traffic specification 
defining at least one matching attribute; thereupon, 

having found a matching node in the matching step, associate the flow 

specification with a traffic type of said plurality of hierarchically-recognized traffic 
types. 

14. (currently amended) The apparatus of claim 13 further comprising 
a traffic classification database operative to 

store mappings between traffic type names and traffic type identifiers; 
classify [[a]] the flow into [[a]] the traffic type based on the at least one 
attribute of the flow; and 

wherein the flow data record emitter is further operative to: 
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transmit the mappings between the traffic type names and traffic type 
identifiers to the data collector. 

15. (canceled) 

16. (canceled) 

17. (currently amended) The apparatus of claim 13 wherein the packet processor io 
further operative to An apparatus enabling a flow-based data collection scheme, 
comprising 

a packet processor operative to 

receive a flow, the flow comprising at least one packet; 

associate a traffic type to the flow; 

monitor the flow in relation to at least one flow attribute; and 

a flow data record emitter operative to: 

upon termination of the flow, compose a flow data record comprising a 

traffic type identifier corresponding to the traffic type associated with the flow and the 

at least one monitored attribute: and 

transmit the flow data record to a data collector; 

wherein, to associate the traffic type to the flow, the packet processor is further 
operative to 

parse at least one packet associated with the flow into a first flow specification, 
wherein said first flow specification contains at least one instance of any one of the 
following: a protocol family designation, a direction of packet flow designation, a 
protocol type designation, a pair of hosts, a pair of ports, a pointer to a multipurpose 
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internet mail extensions (MIME) M IME type, a pointer to an application-specific 
attribute; 

match the first flow specification to a plurality of recognized traffic types 
represented by a plurality entries in at least one traffic type identification table, each 
entry in the traffic type identification table including at least one matching attribute; 
thereupon, 

having found a matching traffic type in the matching step, associate the first flow 
specification with a traffic type of said plurality of recognized traffic types in the at least 
one traffic identification table. 

18. (original) The apparatus of claim 13 wherein the at least one flow attribute is one of 
any of the following: a first packet time, a last packet time, the number of packets in the 
flow, the number of bytes in the flow, the number of retransmitted bytes in the flow, or 
a round trip time. 

19. (original) The apparatus of claim 13 wherein the flow data record further includes 
one of any of the following: source address, destination address, source port number, 
destination port number, VLAN identifier, type of service identifier, a protocol family 
designation, a direction of packet flow designation, a protocol type designation, a 
protocol message designation, a first packet time, a last packet time, the number of 
packets in the flow, the number of bytes in the flow, the number of retransmitted bytes 
in the flow, or a round trip time. 

20. (currently amended) The apparatus of claim 13 wherein termination of [[a]] the 
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flow is determined based on a threshold period of time and the time of the last packet in 
the flow. 

21. (currently amended) The apparatus of claim 13 wherein termination of [[a]] the 
flow is determined based on a protocol message. 

22. (original) The apparatus of claim 21 wherein the protocol message is a TCP FIN 
packet. 

23. (currently amended) A system enabling a flow-based data collection scheme, 
comprising 

at least one network device disposed in a communication path between first and 
second networks; the first network device comprising 
a packet processor operative to 

receive a flow, the flow comprising at least one packet; 
associate a traffic type to the flow; 

monitor the flow in relation to at least one flow attribute; 
wherein, to associate the traffic type to the flow, the packet processor is further 
operative to 

parse at least one packet associated with the flow into a flow specification, 

wherein said flow specification contains at least one instance of any one of the 
following: a protocol family designation, a direction of packet flow designation, a 
protocol type designation, a pair of hosts, a pair of ports, a pointer to a multipurpose 
internet mail extensions (MIME) type, a pointer to an application-specific attribute; 
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match the flow specification to a plurality of hierarchically-recognized 

traffic types represented by a plurality of nodes, each node having a traffic specification 
defining at least one matching attribute; thereupon, 

having found a matching node in the matching step, associate the first 

flow specification with a traffic type of said plurality of hierarchically-recognized traffic 
types; and 

a flow data record emitter operative to: 

upon termination of a flow, compose a flow data record comprising 
a traffic type identifier corresponding to the traffic type associated with the flow and the 
at least one monitored attribute; and 

transmit the flow data record to a data collector; and 
the [[a]] data collector operative to: 

receive flow data records from the first network device; and 
store the flow data records in a searchable database. 

24. (currently amended) The system of claim 23 further comprising 
a traffic classification database operative to 

store mappings between traffic type names and traffic type identifiers; 
classify a flow into a traffic type based on the at least one attribute of the 

flow; and 

wherein the flow data record emitter is further operative to: 

transmit the mappings between the traffic type names and traffic type 
identifiers to the data collector. 
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25. (canceled) 

26. (canceled) 

27. (currently amended) The system of claim 23 wherein the packet processor is further 
operative to A system enabling a flow-based data collection scheme, comprising 

at least one network device disposed in a communication path between first and 

second networks; the first network device comprising 

a packet processor operative to 

receive a flow, the flow comprising at least one packet; 

associate a traffic type to the flow; 

monitor the flow in relation to at least one flow attribute; 

wherein, to associate the traffic type to the flow, the packet processor is further 
operative to 

parse at least one packet associated with the flow into a first flow 

specification, wherein said first flow specification contains at least one instance of any 
one of the following: a protocol family designation, a direction of packet flow 
designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a 
multipurpose internet mail extensions (MIME) M iME type, a pointer to an application- 
specific attribute; 

match the first flow specification to a plurality of recognized traffic types 

represented by a plurality entries in at least one traffic type identification table, each 
entry in the traffic type identification table including at least one matching attribute; 
thereupon, 

having found a matching traffic type in the matching step, associate the 
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first flow specification with a traffic type of said plurality of recognized traffic types in 
the at least one traffic identification table ; and 
a flow data record emitter operative to: 

upon termination of a flow, compose a flow data record comprising 

a traffic type identifier corresponding to the traffic type associated with the flow and the 
at least one monitored attribute; and 

transmit the flow data record to a data collector; and 

a data collector operative to: 

receive flow data records from the first network device; and 

store the flow data records in a searchable database . 

28. (original) The system of claim 23 wherein the at least one flow attribute is one of 
any of the following: a first packet time, a last packet time, the number of packets in the 
flow, the number of bytes in the flow, the number of retransmitted bytes in the flow, or 
a round trip time. 

29. (original) The system of claim 23 wherein the flow data record further includes one 
of any of the following: source address, destination address, source port number, 
destination port number, VLAN identifier, type of service identifier, a protocol family 
designation, a direction of packet flow designation, a protocol type designation, a 
protocol message designation, a first packet time, a last packet time, the number of 
packets in the flow, the number of bytes in the flow, the number of retransmitted bytes 
in the flow, or a round trip time. 
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30. (original) The system of claim 23 wherein termination of a flow is determined based 
on a threshold period of time and the time of the last packet in the flow. 

31. (original) The system of claim 23 wherein termination of a flow is determined based 
on a protocol message. 

32. (original) The system of claim 31 wherein the protocol message is a TCP FIN 
packet. 
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